From owner-freebsd-security  Tue Jul 25 19:39:58 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 04DC837BBFF
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 19:39:53 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id MAA02404;
	Wed, 26 Jul 2000 12:39:44 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200007260239.MAA02404@cairo.anu.edu.au>
Subject: Re: log with dynamic firewall rules
To: stephen@math.missouri.edu (Stephen Montgomery-Smith)
Date: Wed, 26 Jul 2000 12:39:44 +1000 (Australia/NSW)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <397E4487.A868B713@math.missouri.edu> from "Stephen Montgomery-Smith" at Jul 25, 2000 08:53:11 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Stephen Montgomery-Smith, sie said:
> 
> This is a multi-part message in MIME format.
> --------------7A8C7BFFCB709DB3DF35EDB3
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> Stephen Montgomery-Smith wrote:
> > 
> > I would like to set up a firewall with dynamic rules to allow
> > ssh from the outside.  I would like these incoming ssh's logged.
> > So I tried something like:
> > 
> > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup
> > 
> 
> OK, does everyone else agree with me that if an ipfw rule is logged
> and keep-state, then one only needs to log when the rule is established -
> not every time a packet passes through it?
[...]

ah, you've stumbled across that one :)

pass in log first ... keep state

is what you would do in IP Filter :-)  Remember, that there may be some
situations where you want to log them all.  On top of that, you can just
leave out "log" from the filter rule and use the state log instead.

You know, in half the time you've spent toying with ipfw you could have
had ipfilter working and not had to patch the source O:-)

It seems the "statefulness" of ipfw is much more complex than it should be.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message